openSUSE-SU-2019:2181

https://lore.kernel.org/linux-wireless/20190804003101.11541-1-benquike@gmail.com/T/#u

https://security.netapp.com/advisory/ntap-20190905-0002/

https://support.f5.com/csp/article/K76295179

https://support.f5.com/csp/article/K76295179?utm_source=f5support&amp;utm_medium=RSS

The remote Redhat Enterprise Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2020:1567 advisory.

  - kernel: nfs: NULL pointer dereference due to an     anomalized NFS message sequence (CVE-2018-16871)

  - Kernel: net: using kernel space address bits to derive     IP ID may potentially break KASLR (CVE-2019-10639)

  - kernel: An out-of-bounds read in     drivers/scsi/qedi/qedi_dbg.c leading to crash or     information disclosure (CVE-2019-15090)

  - kernel: a NULL pointer dereference in     drivers/net/wireless/ath/ath10k/usb.c leads to a crash     (CVE-2019-15099)

  - kernel: Null pointer dereference in the     sound/usb/line6/pcm.c (CVE-2019-15221)

  - kernel: unprivileged users able to create RAW sockets     in AF_IEEE802154 network protocol. (CVE-2019-17053)

  - kernel: unprivileged users able to create RAW sockets in     AF_ISDN  network protocol. (CVE-2019-17055)

  - kernel: integer overflow in tcp_ack_update_rtt in     net/ipv4/tcp_input.c (CVE-2019-18805)

  - kernel: Two memory leaks in the     mwifiex_pcie_init_evt_ring() function in     drivers/net/wireless/marvell/mwifiex/pcie.c allows for a     DoS (CVE-2019-19057)

  - kernel: Memory leaks in     drivers/net/wireless/ath/ath9k/htc_hst.c in the Linux     kernel (DOS) (CVE-2019-19073)

  - kernel: a memory leak in the ath9k management function     in allows local DoS (CVE-2019-19074)

  - kernel: information leak bug caused  by a malicious USB     device in the     drivers/net/can/usb/peak_usb/pcan_usb_core.c driver     (CVE-2019-19534)

  - kernel: use-after-free in __blk_add_trace in     kernel/trace/blktrace.c (CVE-2019-19768)

  - kernel: when cpu.cfs_quota_us is used allows attackers     to cause a denial of service against non-cpu-bound     applications (CVE-2019-19922)

  - kernel: memory leak in the kernel_read_file function in     fs/exec.c allows to cause a denial of service     (CVE-2019-8980)

  - kernel: some ipv6 protocols not encrypted over ipsec     tunnel. (CVE-2020-1749)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote Redhat Enterprise Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2020:1769 advisory.

  - kernel: nfs: NULL pointer dereference due to an     anomalized NFS message sequence (CVE-2018-16871)

  - Kernel: net: using kernel space address bits to derive     IP ID may potentially break KASLR (CVE-2019-10639)

  - kernel: An out-of-bounds read in     drivers/scsi/qedi/qedi_dbg.c leading to crash or     information disclosure (CVE-2019-15090)

  - kernel: a NULL pointer dereference in     drivers/net/wireless/ath/ath10k/usb.c leads to a crash     (CVE-2019-15099)

  - kernel: Null pointer dereference in the     sound/usb/line6/pcm.c (CVE-2019-15221)

  - kernel: unprivileged users able to create RAW sockets     in AF_IEEE802154 network protocol. (CVE-2019-17053)

  - kernel: unprivileged users able to create RAW sockets in     AF_ISDN  network protocol. (CVE-2019-17055)

  - kernel: integer overflow in tcp_ack_update_rtt in     net/ipv4/tcp_input.c (CVE-2019-18805)

  - kernel: Two memory leaks in the     mwifiex_pcie_init_evt_ring() function in     drivers/net/wireless/marvell/mwifiex/pcie.c allows for a     DoS (CVE-2019-19057)

  - kernel: Memory leaks in     drivers/net/wireless/ath/ath9k/htc_hst.c in the Linux     kernel (DOS) (CVE-2019-19073)

  - kernel: a memory leak in the ath9k management function     in allows local DoS (CVE-2019-19074)

  - kernel: information leak bug caused  by a malicious USB     device in the     drivers/net/can/usb/peak_usb/pcan_usb_core.c driver     (CVE-2019-19534)

  - kernel: use-after-free in __blk_add_trace in     kernel/trace/blktrace.c (CVE-2019-19768)

  - kernel: when cpu.cfs_quota_us is used allows attackers     to cause a denial of service against non-cpu-bound     applications (CVE-2019-19922)

  - kernel: memory leak in the kernel_read_file function in     fs/exec.c allows to cause a denial of service     (CVE-2019-8980)

  - kernel: some ipv6 protocols not encrypted over ipsec     tunnel. (CVE-2020-1749)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote Redhat Enterprise Linux 7 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2020:1493 advisory.

  - kernel: heap-based buffer overflow in     mwifiex_process_country_ie() function in     drivers/net/wireless/marvell/mwifiex/sta_ioctl.c     (CVE-2019-14895)

  - kernel: heap overflow in marvell/mwifiex/tdls.c     (CVE-2019-14901)

  - kernel: powerpc: local user can read vector registers of     other users' processes via an interrupt (CVE-2019-15031)

  - kernel: a NULL pointer dereference in     drivers/net/wireless/ath/ath10k/usb.c leads to a crash     (CVE-2019-15099)

  - kernel: out-of-bounds array access in
    __xfrm_policy_unlink (CVE-2019-15666)

  - kernel: when cpu.cfs_quota_us is used allows attackers     to cause a denial of service against non-cpu-bound     applications (CVE-2019-19922)

  - kernel: Null pointer dereference in drop_sysctl_table()     in fs/proc/proc_sysctl.c (CVE-2019-20054)

  - kernel: memory leak in mwifiex_tm_cmd in     drivers/net/wireless/marvell/mwifiex/cfg80211.c     (CVE-2019-20095)

  - kernel: triggering AP to send IAPP location updates for     stations before the required authentication process has     completed can lead to DoS (CVE-2019-5108)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

According to the versions of the kernel packages installed, the EulerOS Virtualization for ARM 64 installation on the remote host is affected by the following vulnerabilities :

  - The kernel package contains the Linux kernel (vmlinuz),     the core of any Linux operating system. The kernel     handles the basic functions of the operating system:
    memory allocation, process allocation, device input and     output, etc. Security Fix(es):An issue was discovered     in the Linux kernel before 5.2.3. There is a     use-after-free caused by a malicious USB device in the     drivers/media/usb/dvb-usb/dvb-usb-init.c     driver.(CVE-2019-15213)An issue was discovered in the     Linux kernel before 5.2.6. There is a use-after-free     caused by a malicious USB device in the     drivers/media/usb/cpia2/cpia2_usb.c     driver.(CVE-2019-15215)An issue was discovered in the     Linux kernel before 5.2.3. There is a NULL pointer     dereference caused by a malicious USB device in the     drivers/media/usb/zr364xx/zr364xx.c     driver.(CVE-2019-15217)An issue was discovered in the     Linux kernel before 5.1.8. There is a double-free     caused by a malicious USB device in the     drivers/usb/misc/rio500.c driver.(CVE-2019-15212)An     issue was discovered in the Linux kernel before 5.0.14.
    There is a NULL pointer dereference caused by a     malicious USB device in the drivers/usb/misc/yurex.c     driver.(CVE-2019-15216)An issue was discovered in     drivers/scsi/qedi/qedi_dbg.c in the Linux kernel before     5.1.12. In the qedi_dbg_* family of functions, there is     an out-of-bounds read.(CVE-2019-15090)An issue was     discovered in the Linux kernel before 5.0.9. There is a     NULL pointer dereference for a cd data structure if     alloc_disk fails in     drivers/block/paride/pf.c.(CVE-2019-15923)An issue was     discovered in the Linux kernel before 5.0.10.
    SMB2_negotiate in fs/cifs/smb2pdu.c has an     out-of-bounds read because data structures are     incompletely updated after a change from smb30 to     smb21.(CVE-2019-15918)An issue was discovered in the     Linux kernel before 5.0.9. There is a NULL pointer     dereference for a pf data structure if alloc_disk fails     in drivers/block/paride/pf.c.(CVE-2019-15922)An issue     was discovered in the Linux kernel before 5.2.3. Out of     bounds access exists in the functions     ath6kl_wmi_pstream_timeout_event_rx and     ath6kl_wmi_cac_event_rx in the file     driverset/wireless/ath/ath6kl/wmi.c.(CVE-2019-15926)An     issue was discovered in the Linux kernel before 5.0.11.
    fm10k_init_module in     driverset/ethernet/intel/fm10k/fm10k_main.c has a NULL     pointer dereference because there is no -ENOMEM upon an     alloc_workqueue failure.(CVE-2019-15924)A buffer     overflow flaw was found, in versions from 2.6.34 to     5.2.x, in the way Linux kernel's vhost functionality     that translates virtqueue buffers to IOVs, logged the     buffer descriptors during migration. A privileged guest     user able to pass descriptors with invalid length to     the host when migration is underway, could use this     flaw to increase their privileges on the     host.(CVE-2019-14835)In the Linux kernel through 5.2.14     on the powerpc platform, a local user can read vector     registers of other users' processes via an interrupt.
    To exploit the venerability, a local user starts a     transaction (via the hardware transactional memory     instruction tbegin) and then accesses vector registers.
    At some point, the vector registers will be corrupted     with the values from a different local Linux process,     because MSR_TM_ACTIVE is misused in     arch/powerpc/kernel/process.c.(CVE-2019-15031)In the     Linux kernel through 5.2.14 on the powerpc platform, a     local user can read vector registers of other users'     processes via a Facility Unavailable exception. To     exploit the venerability, a local user starts a     transaction (via the hardware transactional memory     instruction tbegin) and then accesses vector registers.
    At some point, the vector registers will be corrupted     with the values from a different local Linux process     because of a missing arch/powerpc/kernel/process.c     check.(CVE-2019-15030)There is heap-based buffer     overflow in kernel, all versions up to, excluding 5.3,     in the marvell wifi chip driver in Linux kernel, that     allows local users to cause a denial of service(system     crash) or possibly execute arbitrary     code.(CVE-2019-14816)A vulnerability was found in Linux     Kernel, where a Heap Overflow was found in     mwifiex_set_wmm_params() function of Marvell Wifi     Driver.(CVE-2019-14815)There is heap-based buffer     overflow in Linux kernel, all versions up to, excluding     5.3, in the marvell wifi chip driver in Linux kernel,     that allows local users to cause a denial of     service(system crash) or possibly execute arbitrary     code.(CVE-2019-14814)driverset/wireless/ath/ath10k/usb.
    c in the Linux kernel through 5.2.8 has a NULL pointer     dereference via an incomplete address in an endpoint     descriptor.(CVE-2019-15099)driverset/wireless/ath/ath6k     l/usb.c in the Linux kernel through 5.2.8 has a NULL     pointer dereference via an incomplete address in an     endpoint     descriptor.(CVE-2019-15098)driverset/wireless/rsi/rsi_9     1x_usb.c in the Linux kernel through 5.2.9 has a Double     Free via crafted USB device traffic (which may be     remote via usbip or usbredir).CVE-2019-15504)In the     Linux kernel before 5.2.14, rds6_inc_info_copy in     net/rds/recv.c allows attackers to obtain sensitive     information from kernel stack memory because tos and     flags fields are not     initialized.(CVE-2019-16714)drivers/scsi/qla2xxx/qla_os     .c in the Linux kernel 5.2.14 does not check the     alloc_workqueue return value, leading to a NULL pointer     dereference.(CVE-2019-16233)An issue was discovered in     the Linux kernel through 5.2.13. nbd_genl_status in     drivers/blockbd.c does not check the     nla_nest_start_noflag return     value.(CVE-2019-16089)llcp_sock_create in     netfc/llcp_sock.c in the AF_NFC network module in the     Linux kernel through 5.3.2 does not enforce     CAP_NET_RAW, which means that unprivileged users can     create a raw socket, aka     CID-3a359798b176.(CVE-2019-17056)base_sock_create in     drivers/isdn/mISDN/socket.c in the AF_ISDN network     module in the Linux kernel through 5.3.2 does not     enforce CAP_NET_RAW, which means that unprivileged     users can create a raw socket, aka     CID-b91ee4aa2a21.(CVE-2019-17055)atalk_create in     net/appletalk/ddp.c in the AF_APPLETALK network module     in the Linux kernel through 5.3.2 does not enforce     CAP_NET_RAW, which means that unprivileged users can     create a raw socket, aka     CID-6cc03e8aa36c.(CVE-2019-17054)ieee802154_create in     net/ieee802154/socket.c in the AF_IEEE802154 network     module in the Linux kernel through 5.3.2 does not     enforce CAP_NET_RAW, which means that unprivileged     users can create a raw socket, aka     CID-e69dbd4619e7.(CVE-2019-17053)ax25_create in     net/ax25/af_ax25.c in the AF_AX25 network module in the     Linux kernel through 5.3.2 does not enforce     CAP_NET_RAW, which means that unprivileged users can     create a raw socket, aka     CID-0614e2b73768.(CVE-2019-17052)An issue was     discovered in write_tpt_entry in     drivers/infiniband/hw/cxgb4/mem.c in the Linux kernel     through 5.3.2. The cxgb4 driver is directly calling     dma_map_single (a DMA function) from a stack variable.
    This could allow an attacker to trigger a Denial of     Service, exploitable if this driver is used on an     architecture for which this stack/DMA interaction has     security relevance.(CVE-2019-17075)rtl_p2p_noa_ie in     driverset/wireless/realtek/rtlwifi/ps.c in the Linux     kernel through 5.3.6 lacks a certain upper-bound check,     leading to a buffer overflow.(CVE-2019-17666)In the     Linux kernel through 5.3.2, cfg80211_mgd_wext_giwessid     in net/wireless/wext-sme.c does not reject a long SSID     IE, leading to a Buffer Overflow.(CVE-2019-17133)An     issue was discovered in net/wirelessl80211.c in the     Linux kernel through 5.2.17. It does not check the     length of variable elements in a beacon head, leading     to a buffer overflow.(CVE-2019-16746)Insufficient     access control in the Intel(R) PROSet/Wireless WiFi     Software driver before version 21.10 may allow an     unauthenticated user to potentially enable denial of     service via adjacent     access.(CVE-2019-0136)driverset/wireless/intel/iwlwifi/     pcie/trans.c in the Linux kernel 5.2.14 does not check     the alloc_workqueue return value, leading to a NULL     pointer dereference.(CVE-2019-16234)A memory leak in     the ql_alloc_large_buffers() function in     driverset/ethernet/qlogic/qla3xxx.c in the Linux kernel     before 5.3.5 allows local users to cause a denial of     service (memory consumption) by triggering     pci_dma_mapping_error() failures, aka     CID-1acb8f2a7a9f.(CVE-2019-18806)A memory leak in the     dwc3_pci_probe() function in     drivers/usb/dwc3/dwc3-pci.c in the Linux kernel through     5.3.9 allows attackers to cause a denial of service     (memory consumption) by triggering     platform_device_add_properties() failures, aka     CID-9bbfceea12a8.(CVE-2019-18813)A memory leak in the     af9005_identify_state() function in     drivers/media/usb/dvb-usb/af9005.c in the Linux kernel     through 5.3.9 allows attackers to cause a denial of     service (memory consumption), aka     CID-2289adbfa559.(CVE-2019-18809)fs/btrfs/volumes.c in     the Linux kernel before 5.1 allows a     btrfs_verify_dev_extents NULL pointer dereference via a     crafted btrfs image because fs_devices->devices is     mishandled within find_device, aka     CID-09ba3bc9dd15.(CVE-2019-18885)A memory leak in the     ccp_run_sha_cmd() function in     drivers/crypto/ccp/ccp-ops.c in the Linux kernel     through 5.3.9 allows attackers to cause a denial of     service (memory consumption), aka     CID-128c66429247.(CVE-2019-18808)A memory leak in the     bfad_im_get_stats() function in     drivers/scsi/bfa/bfad_attr.c in the Linux kernel     through 5.3.11 allows attackers to cause a denial of     service (memory consumption) by triggering     bfa_port_get_stats() failures, aka     CID-0e62395da2bd.(CVE-2019-19066)Note:
    kernel-4.19.36-vhulk1907.1.0.h529 and earlier versions     in EulerOS Virtualization for ARM 64 3.0.2.0 return     incorrect time information when executing the uname -a     command.

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

It was discovered that the Linux kernel did not properly clear data structures on context switches for certain Intel graphics processors.
A local attacker could use this to expose sensitive information.
(CVE-2019-14615)

It was discovered that the Atheros 802.11ac wireless USB device driver in the Linux kernel did not properly validate device metadata. A physically proximate attacker could use this to cause a denial of service (system crash). (CVE-2019-15099)

It was discovered that the HSA Linux kernel driver for AMD GPU devices did not properly check for errors in certain situations, leading to a NULL pointer dereference. A local attacker could possibly use this to cause a denial of service. (CVE-2019-16229)

It was discovered that the Marvell 8xxx Libertas WLAN device driver in the Linux kernel did not properly check for errors in certain situations, leading to a NULL pointer dereference. A local attacker could possibly use this to cause a denial of service. (CVE-2019-16232)

It was discovered that a race condition existed in the Virtual Video Test Driver in the Linux kernel. An attacker with write access to /dev/video0 on a system with the vivid module loaded could possibly use this to gain administrative privileges. (CVE-2019-18683)

It was discovered that the Renesas Digital Radio Interface (DRIF) driver in the Linux kernel did not properly initialize data. A local attacker could possibly use this to expose sensitive information (kernel memory). (CVE-2019-18786)

It was discovered that the Afatech AF9005 DVB-T USB device driver in the Linux kernel did not properly deallocate memory in certain error conditions. A local attacker could possibly use this to cause a denial of service (kernel memory exhaustion). (CVE-2019-18809)

It was discovered that the btrfs file system in the Linux kernel did not properly validate metadata, leading to a NULL pointer dereference.
An attacker could use this to specially craft a file system image that, when mounted, could cause a denial of service (system crash).
(CVE-2019-18885)

It was discovered that multiple memory leaks existed in the Marvell WiFi-Ex Driver for the Linux kernel. A local attacker could possibly use this to cause a denial of service (kernel memory exhaustion).
(CVE-2019-19057)

It was discovered that the crypto subsystem in the Linux kernel did not properly deallocate memory in certain error conditions. A local attacker could use this to cause a denial of service (kernel memory exhaustion). (CVE-2019-19062)

It was discovered that the Realtek rtlwifi USB device driver in the Linux kernel did not properly deallocate memory in certain error conditions. A local attacker could possibly use this to cause a denial of service (kernel memory exhaustion). (CVE-2019-19063)

It was discovered that the RSI 91x WLAN device driver in the Linux kernel did not properly deallocate memory in certain error conditions.
A local attacker could use this to cause a denial of service (kernel memory exhaustion). (CVE-2019-19071)

It was discovered that the Atheros 802.11ac wireless USB device driver in the Linux kernel did not properly deallocate memory in certain error conditions. A local attacker could possibly use this to cause a denial of service (kernel memory exhaustion). (CVE-2019-19078)

It was discovered that the AMD GPU device drivers in the Linux kernel did not properly deallocate memory in certain error conditions. A local attacker could use this to possibly cause a denial of service (kernel memory exhaustion). (CVE-2019-19082)

Dan Carpenter discovered that the AppleTalk networking subsystem of the Linux kernel did not properly handle certain error conditions, leading to a NULL pointer dereference. A local attacker could use this to cause a denial of service (system crash). (CVE-2019-19227)

It was discovered that the KVM hypervisor implementation in the Linux kernel did not properly handle ioctl requests to get emulated CPUID features. An attacker with access to /dev/kvm could use this to cause a denial of service (system crash). (CVE-2019-19332)

It was discovered that the ext4 file system implementation in the Linux kernel did not properly handle certain conditions. An attacker could use this to specially craft an ext4 file system that, when mounted, could cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2019-19767)

Gao Chuan discovered that the SAS Class driver in the Linux kernel contained a race condition that could lead to a NULL pointer dereference. A local attacker could possibly use this to cause a denial of service (system crash). (CVE-2019-19965)

It was discovered that the Datagram Congestion Control Protocol (DCCP) implementation in the Linux kernel did not properly deallocate memory in certain error conditions. An attacker could possibly use this to cause a denial of service (kernel memory exhaustion). (CVE-2019-20096)

Mitchell Frank discovered that the Wi-Fi implementation in the Linux kernel when used as an access point would send IAPP location updates for stations before client authentication had completed. A physically proximate attacker could use this to cause a denial of service.
(CVE-2019-5108)

It was discovered that a race condition can lead to a use-after-free while destroying GEM contexts in the i915 driver for the Linux kernel.
A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2020-7053)

It was discovered that the B2C2 FlexCop USB device driver in the Linux kernel did not properly validate device metadata. A physically proximate attacker could use this to cause a denial of service (system crash). (CVE-2019-15291).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

It was discovered that the Linux kernel did not properly clear data structures on context switches for certain Intel graphics processors.
A local attacker could use this to expose sensitive information.
(CVE-2019-14615)

It was discovered that the Atheros 802.11ac wireless USB device driver in the Linux kernel did not properly validate device metadata. A physically proximate attacker could use this to cause a denial of service (system crash). (CVE-2019-15099)

It was discovered that the HSA Linux kernel driver for AMD GPU devices did not properly check for errors in certain situations, leading to a NULL pointer dereference. A local attacker could possibly use this to cause a denial of service. (CVE-2019-16229)

It was discovered that the Marvell 8xxx Libertas WLAN device driver in the Linux kernel did not properly check for errors in certain situations, leading to a NULL pointer dereference. A local attacker could possibly use this to cause a denial of service. (CVE-2019-16232)

It was discovered that a race condition existed in the Virtual Video Test Driver in the Linux kernel. An attacker with write access to /dev/video0 on a system with the vivid module loaded could possibly use this to gain administrative privileges. (CVE-2019-18683)

It was discovered that the Renesas Digital Radio Interface (DRIF) driver in the Linux kernel did not properly initialize data. A local attacker could possibly use this to expose sensitive information (kernel memory). (CVE-2019-18786)

It was discovered that the Sound Open Firmware (SOF) driver in the Linux kernel did not properly deallocate memory in certain error conditions. A local attacker could use this to cause a denial of service (kernel memory exhaustion). (CVE-2019-18811)

It was discovered that the crypto subsystem in the Linux kernel did not properly deallocate memory in certain error conditions. A local attacker could use this to cause a denial of service (kernel memory exhaustion). (CVE-2019-19050, CVE-2019-19062)

It was discovered that multiple memory leaks existed in the Marvell WiFi-Ex Driver for the Linux kernel. A local attacker could possibly use this to cause a denial of service (kernel memory exhaustion).
(CVE-2019-19057)

It was discovered that the Realtek rtlwifi USB device driver in the Linux kernel did not properly deallocate memory in certain error conditions. A local attacker could possibly use this to cause a denial of service (kernel memory exhaustion). (CVE-2019-19063)

It was discovered that the RSI 91x WLAN device driver in the Linux kernel did not properly deallocate memory in certain error conditions.
A local attacker could use this to cause a denial of service (kernel memory exhaustion). (CVE-2019-19071)

It was discovered that the Broadcom Netxtreme HCA device driver in the Linux kernel did not properly deallocate memory in certain error conditions. A local attacker could possibly use this to cause a denial of service (kernel memory exhaustion). (CVE-2019-19077)

It was discovered that the Atheros 802.11ac wireless USB device driver in the Linux kernel did not properly deallocate memory in certain error conditions. A local attacker could possibly use this to cause a denial of service (kernel memory exhaustion). (CVE-2019-19078)

It was discovered that the AMD GPU device drivers in the Linux kernel did not properly deallocate memory in certain error conditions. A local attacker could use this to possibly cause a denial of service (kernel memory exhaustion). (CVE-2019-19082)

It was discovered that the IO uring implementation in the Linux kernel did not properly perform credentials checks in certain situations. A local attacker could possibly use this to gain administrative privileges. (CVE-2019-19241)

Or Cohen discovered that the virtual console subsystem in the Linux kernel did not properly restrict writes to unimplemented vcsu (unicode) devices. A local attacker could possibly use this to cause a denial of service (system crash) or have other unspecified impacts.
(CVE-2019-19252)

It was discovered that the KVM hypervisor implementation in the Linux kernel did not properly handle ioctl requests to get emulated CPUID features. An attacker with access to /dev/kvm could use this to cause a denial of service (system crash). (CVE-2019-19332)

It was discovered that a race condition existed in the Linux kernel on x86 platforms when keeping track of which process was assigned control of the FPU. A local attacker could use this to cause a denial of service (memory corruption) or possibly gain administrative privileges. (CVE-2019-19602)

It was discovered that the ext4 file system implementation in the Linux kernel did not properly handle certain conditions. An attacker could use this to specially craft an ext4 file system that, when mounted, could cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2019-19767)

It was discovered that the Kvaser CAN/USB driver in the Linux kernel did not properly initialize memory in certain situations. A local attacker could possibly use this to expose sensitive information (kernel memory). (CVE-2019-19947)

Gao Chuan discovered that the SAS Class driver in the Linux kernel contained a race condition that could lead to a NULL pointer dereference. A local attacker could possibly use this to cause a denial of service (system crash). (CVE-2019-19965)

It was discovered that the B2C2 FlexCop USB device driver in the Linux kernel did not properly validate device metadata. A physically proximate attacker could use this to cause a denial of service (system crash). (CVE-2019-15291).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

It was discovered that the Atheros 802.11ac wireless USB device driver in the Linux kernel did not properly validate device metadata. A physically proximate attacker could use this to cause a denial of service (system crash). (CVE-2019-15099)

It was discovered that a race condition existed in the Virtual Video Test Driver in the Linux kernel. An attacker with write access to /dev/video0 on a system with the vivid module loaded could possibly use this to gain administrative privileges. (CVE-2019-18683)

It was discovered that the btrfs file system in the Linux kernel did not properly validate metadata, leading to a NULL pointer dereference.
An attacker could use this to specially craft a file system image that, when mounted, could cause a denial of service (system crash).
(CVE-2019-18885)

It was discovered that the crypto subsystem in the Linux kernel did not properly deallocate memory in certain error conditions. A local attacker could use this to cause a denial of service (kernel memory exhaustion). (CVE-2019-19050, CVE-2019-19062)

It was discovered that the RSI 91x WLAN device driver in the Linux kernel did not properly deallocate memory in certain error conditions.
A local attacker could use this to cause a denial of service (kernel memory exhaustion). (CVE-2019-19071)

It was discovered that the Broadcom Netxtreme HCA device driver in the Linux kernel did not properly deallocate memory in certain error conditions. A local attacker could possibly use this to cause a denial of service (kernel memory exhaustion). (CVE-2019-19077)

It was discovered that the Atheros 802.11ac wireless USB device driver in the Linux kernel did not properly deallocate memory in certain error conditions. A local attacker could possibly use this to cause a denial of service (kernel memory exhaustion). (CVE-2019-19078)

It was discovered that the Qualcomm IPC Router TUN device driver in the Linux kernel did not properly deallocate memory in certain situations. A local attacker could possibly use this to cause a denial of service (kernel memory exhaustion). (CVE-2019-19079)

It was discovered that the AMD GPU device drivers in the Linux kernel did not properly deallocate memory in certain error conditions. A local attacker could use this to possibly cause a denial of service (kernel memory exhaustion). (CVE-2019-19082)

Dan Carpenter discovered that the AppleTalk networking subsystem of the Linux kernel did not properly handle certain error conditions, leading to a NULL pointer dereference. A local attacker could use this to cause a denial of service (system crash). (CVE-2019-19227)

Or Cohen discovered that the virtual console subsystem in the Linux kernel did not properly restrict writes to unimplemented vcsu (unicode) devices. A local attacker could possibly use this to cause a denial of service (system crash) or have other unspecified impacts.
(CVE-2019-19252)

It was discovered that the KVM hypervisor implementation in the Linux kernel did not properly handle ioctl requests to get emulated CPUID features. An attacker with access to /dev/kvm could use this to cause a denial of service (system crash). (CVE-2019-19332)

It was discovered that the ext4 file system implementation in the Linux kernel did not properly handle certain conditions. An attacker could use this to specially craft an ext4 file system that, when mounted, could cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2019-19767)

It was discovered that the B2C2 FlexCop USB device driver in the Linux kernel did not properly validate device metadata. A physically proximate attacker could use this to cause a denial of service (system crash). (CVE-2019-15291).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

According to the versions of the kernel packages installed, the EulerOS Virtualization for ARM 64 installation on the remote host is affected by the following vulnerabilities :

  - An issue was discovered in the Linux kernel before     5.2.3. There is a use-after-free caused by a malicious     USB device in the     drivers/media/usb/dvb-usb/dvb-usb-init.c     driver.(CVE-2019-15213)

  - An issue was discovered in the Linux kernel before     5.2.6. There is a use-after-free caused by a malicious     USB device in the drivers/media/usb/cpia2/cpia2_usb.c     driver.(CVE-2019-15215)

  - An issue was discovered in the Linux kernel before     5.2.3. There is a NULL pointer dereference caused by a     malicious USB device in the     drivers/media/usb/zr364xx/zr364xx.c     driver.(CVE-2019-15217)

  - An issue was discovered in the Linux kernel before     5.1.8. There is a double-free caused by a malicious USB     device in the drivers/usb/misc/rio500.c     driver.(CVE-2019-15212)

  - An issue was discovered in the Linux kernel before     5.0.14. There is a NULL pointer dereference caused by a     malicious USB device in the drivers/usb/misc/yurex.c     driver.(CVE-2019-15216)

  - An issue was discovered in drivers/scsi/qedi/qedi_dbg.c     in the Linux kernel before 5.1.12. In the qedi_dbg_*     family of functions, there is an out-of-bounds     read.(CVE-2019-15090)

  - An issue was discovered in the Linux kernel before     5.0.9. There is a NULL pointer dereference for a cd     data structure if alloc_disk fails in     drivers/block/paride/pf.c.(CVE-2019-15923)

  - An issue was discovered in the Linux kernel before     5.0.10. SMB2_negotiate in fs/cifs/smb2pdu.c has an     out-of-bounds read because data structures are     incompletely updated after a change from smb30 to     smb21.(CVE-2019-15918)

  - An issue was discovered in the Linux kernel before     5.0.9. There is a NULL pointer dereference for a pf     data structure if alloc_disk fails in     drivers/block/paride/pf.c.(CVE-2019-15922)

  - An issue was discovered in the Linux kernel before     5.2.3. Out of bounds access exists in the functions     ath6kl_wmi_pstream_timeout_event_rx and     ath6kl_wmi_cac_event_rx in the file     drivers/net/wireless/ath/ath6kl/wmi.c.(CVE-2019-15926)

  - An issue was discovered in the Linux kernel before     5.0.11. fm10k_init_module in     drivers/net/ethernet/intel/fm10k/fm10k_main.c has a     NULL pointer dereference because there is no -ENOMEM     upon an alloc_workqueue failure.(CVE-2019-15924)

  - A buffer overflow flaw was found, in versions from     2.6.34 to 5.2.x, in the way Linux kernel's vhost     functionality that translates virtqueue buffers to     IOVs, logged the buffer descriptors during migration. A     privileged guest user able to pass descriptors with     invalid length to the host when migration is underway,     could use this flaw to increase their privileges on the     host.(CVE-2019-14835)

  - In the Linux kernel through 5.2.14 on the powerpc     platform, a local user can read vector registers of     other users' processes via an interrupt. To exploit the     venerability, a local user starts a transaction (via     the hardware transactional memory instruction tbegin)     and then accesses vector registers. At some point, the     vector registers will be corrupted with the values from     a different local Linux process, because MSR_TM_ACTIVE     is misused in     arch/powerpc/kernel/process.c.(CVE-2019-15031)

  - In the Linux kernel through 5.2.14 on the powerpc     platform, a local user can read vector registers of     other users' processes via a Facility Unavailable     exception. To exploit the venerability, a local user     starts a transaction (via the hardware transactional     memory instruction tbegin) and then accesses vector     registers. At some point, the vector registers will be     corrupted with the values from a different local Linux     process because of a missing     arch/powerpc/kernel/process.c check.(CVE-2019-15030)

  - There is heap-based buffer overflow in kernel, all     versions up to, excluding 5.3, in the marvell wifi chip     driver in Linux kernel, that allows local users to     cause a denial of service(system crash) or possibly     execute arbitrary code.(CVE-2019-14816)

  - ** RESERVED ** This candidate has been reserved by an     organization or individual that will use it when     announcing a new security problem. When the candidate     has been publicized, the details for this candidate     will be provided.(CVE-2019-14815)

  - There is heap-based buffer overflow in Linux kernel,     all versions up to, excluding 5.3, in the marvell wifi     chip driver in Linux kernel, that allows local users to     cause a denial of service(system crash) or possibly     execute arbitrary code.(CVE-2019-14814)

  - drivers/net/wireless/ath/ath10k/usb.c in the Linux     kernel through 5.2.8 has a NULL pointer dereference via     an incomplete address in an endpoint     descriptor.(CVE-2019-15099)

  - drivers/net/wireless/ath/ath6kl/usb.c in the Linux     kernel through 5.2.9 has a NULL pointer dereference via     an incomplete address in an endpoint     descriptor.(CVE-2019-15098)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

According to the versions of the kernel packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities :

  - The kernel package contains the Linux kernel (vmlinuz),     the core of any Linux operating system. The kernel     handles the basic functions of the operating system:
    memory allocation, process allocation, device input and     output, etc.Security     Fix(es):drivers/media/usb/dvb-usb/technisat-usb2.c in     the Linux kernel through 5.2.9 has an out-of-bounds     read via crafted USB device traffic (which may be     remote via usbip or usbredir).(CVE-2019-15505)An issue     was discovered in the Linux kernel through 5.2.13.
    nbd_genl_status in drivers/blockbd.c does not check the     nla_nest_start_noflag return     value.(CVE-2019-16089)drivers/scsi/qla2xxx/qla_os.c in     the Linux kernel 5.2.14 does not check the     alloc_workqueue return value, leading to a NULL pointer     dereference.(CVE-2019-16233)In the Linux kernel before     5.2.14, rds6_inc_info_copy in net/rds/recv.c allows     attackers to obtain sensitive information from kernel     stack memory because tos and flags fields are not     initialized.(CVE-2019-16714)driverset/wireless/rsi/rsi_     91x_usb.c in the Linux kernel through 5.2.9 has a     Double Free via crafted USB device traffic (which may     be remote via usbip or usbredir).(CVE-2019-15504)There     is heap-based buffer overflow in Linux kernel, all     versions up to, excluding 5.3, in the marvell wifi chip     driver in Linux kernel, that allows local users to     cause a denial of service(system crash) or possibly     execute arbitrary code.(CVE-2019-14814)There is     heap-based buffer overflow in marvell wifi chip driver     in Linux kernel,allows local users to cause a denial of     service(system crash) or possibly execute arbitrary     code.(CVE-2019-14815)There is heap-based buffer     overflow in kernel, all versions up to, excluding 5.3,     in the marvell wifi chip driver in Linux kernel, that     allows local users to cause a denial of service(system     crash) or possibly execute arbitrary     code.(CVE-2019-14816)driverset/wireless/ath/ath6kl/usb.
    c in the Linux kernel through 5.2.9 has a NULL pointer     dereference via an incomplete address in an endpoint     descriptor.(CVE-2019-15098)driverset/wireless/ath/ath10     k/usb.c in the Linux kernel through 5.2.8 has a NULL     pointer dereference via an incomplete address in an     endpoint descriptor.(CVE-2019-15099)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

According to the versions of the kernel packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities :

  - The kernel package contains the Linux kernel (vmlinuz),     the core of any Linux operating system. The kernel     handles the basic functions of the operating system:
    memory allocation, process allocation, device input and     output, etc.Security Fix(es):An issue was discovered in     the Linux kernel before 5.2.3. Out of bounds access     exists in the functions     ath6kl_wmi_pstream_timeout_event_rx and     ath6kl_wmi_cac_event_rx in the file     driverset/wireless/ath/ath6kl/wmi.c.(CVE-2019-15926)An     issue was discovered in the Linux kernel before 5.0.6.
    There is a memory leak issue when idr_alloc() fails in     genl_register_family() in     netetlink/genetlink.c.(CVE-2019-15921)An issue was     discovered in the Linux kernel before 4.20.2. An     out-of-bounds access exists in the function     build_audio_procunit in the file     sound/usb/mixer.c.(CVE-2019-15927)An issue was     discovered in the Linux kernel before 5.0.9. There is a     use-after-free in atalk_proc_exit, related to     net/appletalk/atalk_proc.c, net/appletalk/ddp.c, and     net/appletalk/sysctl_net_atalk.c.(CVE-2019-15292)An     issue was discovered in fs/xfs/xfs_super.c in the Linux     kernel before 4.18. A use after free exists, related to     xfs_fs_fill_super failure.(CVE-2018-20976)In the Linux     kernel before 5.1.13, there is a memory leak in     drivers/scsi/libsas/sas_expander.c when SAS expander     discovery fails. This will cause a BUG and denial of     service.(CVE-2019-15807)A vulnerability was found in     Linux kernel's, versions up to 3.10, implementation of     overlayfs. An attacker with local access can create a     denial of service situation via NULL pointer     dereference in ovl_posix_acl_create function in     fs/overlayfs/dir.c. This can allow attackers with     ability to create directories on overlayfs to crash the     kernel creating a denial of service     (DOS).(CVE-2019-10140)In the Linux kernel, a certain     net/ipv4/tcp_output.c change, which was properly     incorporated into 4.16.12, was incorrectly backported     to the earlier longterm kernels, introducing a new     vulnerability that was potentially more severe than the     issue that was intended to be fixed by backporting.
    Specifically, by adding to a write queue between     disconnection and re-connection, a local attacker can     trigger multiple use-after-free conditions. This can     result in a kernel crash, or potentially in privilege     escalation.(CVE-2019-15239)check_input_term in     sound/usb/mixer.c in the Linux kernel through 5.2.9     mishandles recursion, leading to kernel stack     exhaustion.(CVE-2019-15118)drivers     et/wireless/ath/ath10k/usb.c in the Linux kernel     through 5.2.8 has a NULL pointer dereference via an     incomplete address in an endpoint     descriptor.(CVE-2019-15099)drivers     et/wireless/ath/ath6kl/usb.c in the Linux kernel     through 5.2.9 has a NULL pointer dereference via an     incomplete address in an endpoint     descriptor.(CVE-2019-15098)A flaw was found in the     Linux kernel's Bluetooth implementation of UART. An     attacker with local access and write permissions to the     Bluetooth hardware could use this flaw to issue a     specially crafted ioctl function call and cause the     system to crash.(CVE-2019-10207)It was found that cephx     authentication protocol did not verify ceph clients     correctly and was vulnerable to replay attack. Any     attacker having access to ceph cluster network who is     able to sniff packets on network can use this     vulnerability to authenticate with ceph service and     perform actions allowed by ceph service. Ceph branches     master, mimic, luminous and jewel are believed to be     vulnerable.(CVE-2018-1128)ax25_create in     net/ax25/af_ax25.c in the AF_AX25 network module in the     Linux kernel through 5.3.2 does not enforce     CAP_NET_RAW, which means that unprivileged users can     create a raw socket, aka     CID-0614e2b73768.(CVE-2019-17052)ieee802154_create in     net/ieee802154/socket.c in the AF_IEEE802154 network     module in the Linux kernel through 5.3.2 does not     enforce CAP_NET_RAW, which means that unprivileged     users can create a raw socket, aka     CID-e69dbd4619e7.(CVE-2019-17053)atalk_create in     net/appletalk/ddp.c in the AF_APPLETALK network module     in the Linux kernel through 5.3.2 does not enforce     CAP_NET_RAW, which means that unprivileged users can     create a raw socket, aka     CID-6cc03e8aa36c.(CVE-2019-17054)base_sock_create in     drivers/isdn/mISDN/socket.c in the AF_ISDN network     module in the Linux kernel through 5.3.2 does not     enforce CAP_NET_RAW, which means that unprivileged     users can create a raw socket, aka     CID-b91ee4aa2a21.(CVE-2019-17055)llcp_sock_create in     net fc/llcp_sock.c in the AF_NFC network module in the     Linux kernel through 5.3.2 does not enforce     CAP_NET_RAW, which means that unprivileged users can     create a raw socket, aka     CID-3a359798b176.(CVE-2019-17056)A flaw was found in     the Linux kernel's freescale hypervisor manager     implementation, kernel versions 5.0.x up to, excluding     5.0.17. A parameter passed to an ioctl was incorrectly     validated and used in size calculations for the page     size calculation. An attacker can use this flaw to     crash the system, corrupt memory, or create other     adverse security     affects.(CVE-2019-10142)drivers/media/usb/dvb-usb/techn     isat-usb2.c in the Linux kernel through 5.2.9 has an     out-of-bounds read via crafted USB device traffic     (which may be remote via usbip or     usbredir).(CVE-2019-15505)An issue was discovered in     the Linux kernel before 5.0.4. The 9p filesystem did     not protect i_size_write() properly, which causes an     i_size_read() infinite loop and denial of service on     SMP systems.(CVE-2019-16413)An issue was discovered in     xfs_setattr_nonsize in fs/xfs/xfs_iops.c in the Linux     kernel through 5.2.9. XFS partially wedges when a chgrp     fails on account of being out of disk quota.
    xfs_setattr_nonsize is failing to unlock the ILOCK     after the xfs_qm_vop_chown_reserve call fails. This is     primarily a local DoS attack vector, but it might     result as well in remote DoS if the XFS filesystem is     exported for instance via NFS.(CVE-2019-15538)A buffer     overflow flaw was found, in versions from 2.6.34 to     5.2.x, in the way Linux kernel's vhost functionality     that translates virtqueue buffers to IOVs, logged the     buffer descriptors during migration. A privileged guest     user able to pass descriptors with invalid length to     the host when migration is underway, could use this     flaw to increase their privileges on the     host.(CVE-2019-14835)An out-of-bounds access issue was     found in the Linux kernel, all versions through 5.3, in     the way Linux kernel's KVM hypervisor implements the     Coalesced MMIO write operation. It operates on an MMIO     ring buffer 'struct kvm_coalesced_mmio' object, wherein     write indices 'ring->first' and 'ring->last' value     could be supplied by a host user-space process. An     unprivileged host user or process with access to     '/dev/kvm' device could use this flaw to crash the host     kernel, resulting in a denial of service or potentially     escalating privileges on the system.(CVE-2019-14821)An     information disclosure vulnerability exists when     certain central processing units (CPU) speculatively     access memory, aka 'Windows Kernel Information     Disclosure Vulnerability'.
    (CVE-2019-1125)drivers/scsi/qla2xxx/qla_os.c in the     Linux kernel 5.2.14 does not check the alloc_workqueue     return value, leading to a NULL pointer     dereference.(CVE-2019-16233)An issue was discovered in     the Linux kernel before 5.0.11. fm10k_init_module in     drivers et/ethernet/intel/fm10k/fm10k_main.c has a NULL     pointer dereference because there is no -ENOMEM upon an     alloc_workqueue failure.(CVE-2019-15924)An issue was     discovered in the Linux kernel before 5.2.1. There is a     use-after-free caused by a malicious USB device in the     drivers et/wireless/intersil/p54/p54usb.c     driver.(CVE-2019-15220 )In the Linux kernel before     5.1.7, a device can be tracked by an attacker using the     IP ID values the kernel produces for connection-less     protocols (e.g., UDP and ICMP). When such traffic is     sent to multiple destination IP addresses, it is     possible to obtain hash collisions (of indices to the     counter array) and thereby obtain the hashing key (via     enumeration). An attack may be conducted by hosting a     crafted web page that uses WebRTC or gQUIC to force UDP     traffic to attacker-controlled IP     addresses.(CVE-2019-10638)There is heap-based buffer     overflow in Linux kernel, all versions up to, excluding     5.3, in the marvell wifi chip driver in Linux kernel,     that allows local users to cause a denial of     service(system crash) or possibly execute arbitrary     code.( CVE-2019-14814)** RESERVED ** This candidate has     been reserved by an organization or individual that     will use it when announcing a new security problem.
    When the candidate has been publicized, the details for     this candidate will be provided.( CVE-2019-14815)There     is heap-based buffer overflow in kernel, all versions     up to, excluding 5.3, in the marvell wifi chip driver     in Linux kernel, that allows local users to cause a     denial of service(system crash) or possibly execute     arbitrary code.( CVE-2019-14816)A flaw was found in the     way Linux kernel KVM hypervisor emulated instructions     such as sgdt/sidt/fxsave/fxrstor. It did not check     current privilege(CPL) level while emulating     unprivileged instructions. An unprivileged guest     user/process could use this flaw to potentially     escalate privileges inside guest.(CVE-2018-10853)A NULL     pointer dereference was found in the net/rds/rdma.c
    __rds_rdma_map() function in the Linux kernel before     4.14.7 allowing local attackers to cause a system panic     and a denial-of-service, related to RDS_GET_MR and     RDS_GET_MR_FOR_DEST.(CVE-2018-7492)An issue was     discovered in the Linux kernel before 4.20.15. The     nfc_llcp_build_tlv function in net fc/llcp_commands.c     may return NULL. If the caller does not check for this,     it will trigger a NULL pointer dereference. This will     cause denial of service. This affects nfc_llcp_build_gb     in netfc/llcp_core.c.(CVE-2019-12818)An issue was     discovered in the Linux kernel before 5.1.8. There is a     NULL pointer dereference caused by a malicious USB     device in the drivers/media/usb/siano/smsusb.c     driver.(CVE-2019-15218)An issue was discovered in the     Linux kernel before 5.1.8. There is a NULL pointer     dereference caused by a malicious USB device in the     drivers/usb/misc/sisusbvga/sisusb.c     driver.(CVE-2019-15219)An issue was discovered in the     Linux kernel before 5.1.17. There is a NULL pointer     dereference caused by a malicious USB device in the     sound/usb/line6/pcm.c driver.(CVE-2019-15221)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The SUSE Linux Enterprise 15 SP1 RT kernel was updated to receive various security and bugfixes.

The following security bugs were fixed :

CVE-2019-14835: A buffer overflow flaw was found in the way Linux kernel's vhost functionality that translates virtqueue buffers to IOVs, logged the buffer descriptors during migration. A privileged guest user able to pass descriptors with invalid length to the host when migration is underway, could have used this flaw to increase their privileges on the host (bnc#1150112).

CVE-2019-15216: There was a NULL pointer dereference caused by a malicious USB device in the drivers/usb/misc/yurex.c driver (bnc#1146361).

CVE-2019-15924: fm10k_init_module in drivers/net/ethernet/intel/fm10k/fm10k_main.c had a NULL pointer dereference because there was no -ENOMEM upon an alloc_workqueue failure (bnc#1149612).

CVE-2019-9456: In the Pixel C USB monitor driver there was a possible OOB write due to a missing bounds check. This could have led to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation (bnc#1150025).

CVE-2019-15031: In the Linux kernel on the powerpc platform, a local user could have read vector registers of other users' processes via an interrupt. To exploit the vulnerability, a local user starts a transaction (via the hardware transactional memory instruction tbegin) and then accesses vector registers. At some point, the vector registers will be corrupted with the values from a different local Linux process, because MSR_TM_ACTIVE was misused in arch/powerpc/kernel/process.c (bnc#1149713).

CVE-2019-15030: In the Linux kernel on the powerpc platform, a local user could have read vector registers of other users' processes via a Facility Unavailable exception. To exploit the venerability, a local user starts a transaction (via the hardware transactional memory instruction tbegin) and then accesses vector registers. At some point, the vector registers will be corrupted with the values from a different local Linux process because of a missing arch/powerpc/kernel/process.c check (bnc#1149713).

CVE-2019-15920: SMB2_read in fs/cifs/smb2pdu.c had a use-after-free.
(bnc#1149626).

CVE-2019-15921: There was a memory leak issue when idr_alloc() fails in genl_register_family() in net/netlink/genetlink.c (bnc#1149602).

CVE-2018-21008: A use-after-free could have been caused by the function rsi_mac80211_detach in the file drivers/net/wireless/rsi/rsi_91x_mac80211.c (bnc#1149591).

CVE-2019-15919: SMB2_write in fs/cifs/smb2pdu.c had a use-after-free (bnc#1149552).

CVE-2019-15917: There was a use-after-free issue when hci_uart_register_dev() fails in hci_uart_set_proto() in drivers/bluetooth/hci_ldisc.c (bnc#1149539).

CVE-2019-15926: An out-of-bounds access existed in the functions ath6kl_wmi_pstream_timeout_event_rx and ath6kl_wmi_cac_event_rx in the file drivers/net/wireless/ath/ath6kl/wmi.c (bnc#1149527).

CVE-2019-15927: An out-of-bounds access existed in the function build_audio_procunit in the file sound/usb/mixer.c (bnc#1149522).

CVE-2019-15902: Misuse of the upstream 'x86/ptrace: Fix possible spectre-v1 in ptrace_get_debugreg()' commit reintroduced the Spectre vulnerability that it aimed to eliminate. This occurred because the backport process depends on cherry picking specific commits, and because two (correctly ordered) code lines were swapped (bnc#1149376).

CVE-2019-15666: There was an out-of-bounds array access in
__xfrm_policy_unlink, which will cause denial of service, because verify_newpolicy_info in net/xfrm/xfrm_user.c mishandled directory validation (bnc#1148394).

CVE-2019-15219: There was a NULL pointer dereference caused by a malicious USB device in the drivers/usb/misc/sisusbvga/sisusb.c driver (bnc#1146524).

CVE-2019-14814: There was a heap-based buffer overflow in the Marvell wifi chip driver, that allowed local users to cause a denial of service (system crash) or possibly execute arbitrary code (bnc#1146512).

CVE-2019-14815: There was a heap-based buffer overflow in the Marvell wifi chip driver, that allowed local users to cause a denial of service (system crash) or possibly execute arbitrary code.
(bsc#1146514)

CVE-2019-14816: There was a heap-based buffer overflow in the Marvell wifi chip driver, that allowed local users to cause a denial of service (system crash) or possibly execute arbitrary code (bnc#1146516).

CVE-2019-15220: There was a use-after-free caused by a malicious USB device in the drivers/net/wireless/intersil/p54/p54usb.c driver (bnc#1146526).

CVE-2019-15538: An issue was discovered in xfs_setattr_nonsize in fs/xfs/xfs_iops.c in the Linux kernel XFS partially wedges when a chgrp fails on account of being out of disk quota. xfs_setattr_nonsize is failing to unlock the ILOCK after the xfs_qm_vop_chown_reserve call fails. This is primarily a local DoS attack vector, but it might result as well in remote DoS if the XFS filesystem is exported for instance via NFS (bnc#1148093).

  - Update reference for ath6kl fix     (CVE-2019-15290,bsc#1146543).

  - Update reference for ath6kl fix     (CVE-2019-15290,bsc#1146543).

CVE-2019-15099: drivers/net/wireless/ath/ath10k/usb.c had a NULL pointer dereference via an incomplete address in an endpoint descriptor (bnc#1146368).

CVE-2019-15098: drivers/net/wireless/ath/ath6kl/usb.c had a NULL pointer dereference via an incomplete address in an endpoint descriptor (bnc#1146378).

CVE-2019-15239: An incorrect backport of a certain net/ipv4/tcp_output.c fix allowed a local attacker to trigger multiple use-after-free conditions. This could result in a kernel crash, or potentially in privilege escalation. (bsc#1146589)

CVE-2019-15212: There was a double-free caused by a malicious USB device in the drivers/usb/misc/rio500.c driver (bnc#1146391).

CVE-2019-15292: There was a use-after-free in atalk_proc_exit, related to net/appletalk/atalk_proc.c, net/appletalk/ddp.c, and net/appletalk/sysctl_net_atalk.c (bnc#1146678).

CVE-2019-15217: There was a NULL pointer dereference caused by a malicious USB device in the drivers/media/usb/zr364xx/zr364xx.c driver (bnc#1146547).

CVE-2019-15211: There was a use-after-free caused by a malicious USB device in the drivers/media/v4l2-core/v4l2-dev.c driver because drivers/media/radio/radio-raremono.c did not properly allocate memory (bnc#1146519).

CVE-2019-15214: There was a use-after-free in the sound subsystem because card disconnection causes certain data structures to be deleted too early. This is related to sound/core/init.c and sound/core/info.c (bnc#1146550).

CVE-2019-15221: There was a NULL pointer dereference caused by a malicious USB device in the sound/usb/line6/pcm.c driver (bnc#1146529).

CVE-2019-15222: There was a NULL pointer dereference caused by a malicious USB device in the sound/usb/helper.c (motu_microbookii) driver (bnc#1146531).

CVE-2019-15218: There was a NULL pointer dereference caused by a malicious USB device in the drivers/media/usb/siano/smsusb.c driver (bnc#1146413).

CVE-2019-15215: There was a use-after-free caused by a malicious USB device in the drivers/media/usb/cpia2/cpia2_usb.c driver (bnc#1146425).

CVE-2019-15090: An issue was discovered in drivers/scsi/qedi/qedi_dbg.c in the qedi_dbg_* family of functions, there is an out-of-bounds read (bnc#1146399).

CVE-2018-20976: An issue was discovered in fs/xfs/xfs_super.c. A use after free exists, related to xfs_fs_fill_super failure (bnc#1146285).

CVE-2017-18551: An issue was discovered in drivers/i2c/i2c-core-smbus.c. There was an out of bounds write in the function i2c_smbus_xfer_emulated (bnc#1146163).

CVE-2019-15118: check_input_term in sound/usb/mixer.c mishandled recursion, leading to kernel stack exhaustion (bnc#1145922).

CVE-2019-15117: parse_audio_mixer_unit in sound/usb/mixer.c mishandled a short descriptor, leading to out-of-bounds memory access (bnc#1145920).

CVE-2019-10207: Bluetooth/hci_uart was missing a check for tty operations (bsc#1142857).

The update package also includes non-security fixes. See advisory for details.

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The SUSE Linux Enterprise 15 SP1 kernel was updated to receive various security and bugfixes.

The following new features were implemented :

jsc#SLE-4875: [CML] New device IDs for CML

jsc#SLE-7294: Add cpufreq driver for Raspberry Pi

fate#326869: perf: pmu mem_load/store event support

fate#327380: KVM: Add hardware CPU Model - kernel part

fate#327377: KVM: Support for configurable virtio-crypto

fate#327775: vpmem: DRAM backed persistent volumes for improved SAP HANA on POWER restart times

fate#326472: Marvell Armada 7K/8K Ethernet (incl. 10G) kernel enablement

fate#326416: Hi1620 (Vendor: Huawei): RDMA kernel enablement

fate#326415: Hi1620 (Vendor: Huawei): HNS3 (100G) network kernel enablement

The following security bugs were fixed: CVE-2019-14835: Fix QEMU-KVM Guest to Host Kernel Escape. (bsc#1150112).

CVE-2019-15216: Fix a NULL pointer dereference caused by a malicious USB device in the drivers/usb/misc/yurex.c driver. (bsc#1146361).

CVE-2019-15924: Fix a NULL pointer dereference because there was no

-ENOMEM upon an alloc_workqueue failure. (bsc#1149612).

CVE-2019-9456: In Pixel C USB monitor driver there was a possible OOB write due to a missing bounds check. This could have lead to local escalation of privilege with System execution privileges needed.
(bsc#1150025 CVE-2019-9456).

CVE-2019-15030, CVE-2019-15031: On the powerpc platform, a local user could read vector registers of other users' processes via an interrupt. (bsc#1149713)

CVE-2019-15920: SMB2_read in fs/cifs/smb2pdu.c had a use-after-free.
(bsc#1149626)

CVE-2019-15921: There was a memory leak issue when idr_alloc() failed (bsc#1149602)

CVE-2018-21008: A use-after-free can be caused by the function rsi_mac80211_detach (bsc#1149591).

CVE-2019-15919: SMB2_write in fs/cifs/smb2pdu.c had a use-after-free.
(bsc#1149552)

CVE-2019-15917: There was a use-after-free issue when hci_uart_register_dev() failed in hci_uart_set_proto() (bsc#1149539)

CVE-2019-15926: Out of bounds access existed in the functions ath6kl_wmi_pstream_timeout_event_rx and ath6kl_wmi_cac_event_rx (bsc#1149527)

CVE-2019-15927: An out-of-bounds access existed in the function build_audio_procunit (bsc#1149522)

CVE-2019-15902: A backporting error reintroduced the Spectre vulnerability that it aimed to eliminate. (bnc#1149376)

CVE-2019-15666: There was an out-of-bounds array access in
__xfrm_policy_unlink, which would cause denial of service, because verify_newpolicy_info mishandled directory validation. (bsc#1148394).

CVE-2019-15219: There was a NULL pointer dereference caused by a malicious USB device in the drivers/usb/misc/sisusbvga/sisusb.c driver. (bsc#1146524)

CVE-2019-14814, CVE-2019-14815, CVE-2019-14816: Fix three heap-based buffer overflows in marvell wifi chip driver kernel, that allowed local users to cause a denial of service (system crash) or possibly execute arbitrary code. (bnc#1146516)

CVE-2019-15220: There was a use-after-free caused by a malicious USB device in the drivers/net/wireless/intersil/p54/p54usb.c driver.
(bsc#1146526)

CVE-2019-15538: XFS partially wedged when a chgrp failed on account of being out of disk quota. This was primarily a local DoS attack vector, but it could result as well in remote DoS if the XFS filesystem was exported for instance via NFS. (bsc#1148032, bsc#1148093)

CVE-2019-15290: There was a NULL pointer dereference caused by a malicious USB device in the ath6kl_usb_alloc_urb_from_pipe function (bsc#1146543).

CVE-2019-15098: USB driver net/wireless/ath/ath6kl/usb.c had a NULL pointer dereference via an incomplete address in an endpoint descriptor. (bsc#1146378).

CVE-2019-15221, CVE-2019-15222: There was a NULL pointer dereference caused by a malicious USB device in the sound/usb/line6/pcm.c driver.
(bsc#1146529, bsc#1146531)

CVE-2019-10207: Fix a NULL pointer dereference in hci_uart bluetooth driver (bsc#1142857 bsc#1123959).

CVE-2019-15117: parse_audio_mixer_unit in sound/usb/mixer.c in the Linux kernel mishandled a short descriptor, leading to out-of-bounds memory access. (bsc#1145920).

CVE-2019-15118: check_input_term in sound/usb/mixer.c in the Linux kernel mishandled recursion, leading to kernel stack exhaustion.
(bsc#1145922).

CVE-2017-18551: There was an out of bounds write in the function i2c_smbus_xfer_emulated. (bsc#1146163).

CVE-2019-15090: In the qedi_dbg_* family of functions, there was an out-of-bounds read. (bsc#1146399)

CVE-2018-20976: A use after free existed, related to xfs_fs_fill_super failure. (bsc#1146285)

CVE-2019-15215: There was a use-after-free caused by a malicious USB device in the drivers/media/usb/cpia2/cpia2_usb.c driver. (bsc#1135642 bsc#1146425)

CVE-2019-15212: There was a double-free caused by a malicious USB device in the drivers/usb/misc/rio500.c driver. (bsc#1051510 bsc#1146391).

CVE-2019-15292: There was a use-after-free in atalk_proc_exit (bsc#1146678)

CVE-2019-15217: There was a NULL pointer dereference caused by a malicious USB device in the drivers/media/usb/zr364xx/zr364xx.c driver. (bsc#1146547).

CVE-2019-15214: There was a use-after-free in the sound subsystem because card disconnection causes certain data structures to be deleted too early. (bsc#1146550)

CVE-2019-15218: There was a NULL pointer dereference caused by a malicious USB device in the drivers/media/usb/siano/smsusb.c driver.
(bsc#1051510 bsc#1146413)

CVE-2019-15211: There was a use-after-free caused by a malicious USB device in the drivers/media/v4l2-core/v4l2-dev.c driver because drivers/media/radio/radio-raremono.c did not properly allocate memory.
(bsc#1146519).

CVE-2019-15239: An incorrect backport of a certain net/ipv4/tcp_output.c fix allowed a local attacker to trigger multiple use-after-free conditions. This could result in a kernel crash, or potentially in privilege escalation. (bsc#1146589)

CVE-2019-15099: drivers/net/wireless/ath/ath10k/usb.c had a NULL pointer dereference via an incomplete address in an endpoint descriptor. (bsc#1146368)

The update package also includes non-security fixes. See advisory for details.

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The SUSE Linux Enterprise 12 SP4 kernel was updated to receive various security and bugfixes.

The following new features were implemented :

jsc#SLE-4875: [CML] New device IDs for CML

jsc#SLE-7294: Add cpufreq driver for Raspberry Pi

fate#322438: Integrate P9 XIVE support (on PowerVM only)

fate#322447: Add memory protection keys (MPK) support on POWER (on PowerVM only)

fate#322448, fate#321438: P9 hardware counter (performance counters) support (on PowerVM only)

fate#325306, fate#321840: Reduce memory required to boot capture kernel while using fadump

fate#326869: perf: pmu mem_load/store event support

The following security bugs were fixed: CVE-2017-18551: There was an out of bounds write in the function i2c_smbus_xfer_emulated.
(bsc#1146163).

CVE-2018-20976: A use after free existed, related to xfs_fs_fill_super failure. (bsc#1146285)

CVE-2018-21008: A use-after-free can be caused by the function rsi_mac80211_detach (bsc#1149591).

CVE-2019-9456: In Pixel C USB monitor driver there was a possible OOB write due to a missing bounds check. This could have lead to local escalation of privilege with System execution privileges needed.
(bsc#1150025 CVE-2019-9456).

CVE-2019-10207: Fix a NULL pointer dereference in hci_uart bluetooth driver (bsc#1142857 bsc#1123959).

CVE-2019-14814, CVE-2019-14815, CVE-2019-14816: Fix three heap-based buffer overflows in marvell wifi chip driver kernel, that allowed local users to cause a denial of service (system crash) or possibly execute arbitrary code. (bnc#1146516)

CVE-2019-14835: Fix QEMU-KVM Guest to Host Kernel Escape.
(bsc#1150112).

CVE-2019-15030, CVE-2019-15031: On the powerpc platform, a local user could read vector registers of other users' processes via an interrupt. (bsc#1149713)

CVE-2019-15090: In the qedi_dbg_* family of functions, there was an out-of-bounds read. (bsc#1146399)

CVE-2019-15098: USB driver net/wireless/ath/ath6kl/usb.c had a NULL pointer dereference via an incomplete address in an endpoint descriptor. (bsc#1146378).

CVE-2019-15099: drivers/net/wireless/ath/ath10k/usb.c had a NULL pointer dereference via an incomplete address in an endpoint descriptor. (bsc#1146368)

CVE-2019-15117: parse_audio_mixer_unit in sound/usb/mixer.c in the Linux kernel mishandled a short descriptor, leading to out-of-bounds memory access. (bsc#1145920).

CVE-2019-15118: check_input_term in sound/usb/mixer.c in the Linux kernel mishandled recursion, leading to kernel stack exhaustion.
(bsc#1145922).

CVE-2019-15211: There was a use-after-free caused by a malicious USB device in the drivers/media/v4l2-core/v4l2-dev.c driver because drivers/media/radio/radio-raremono.c did not properly allocate memory.
(bsc#1146519).

CVE-2019-15212: There was a double-free caused by a malicious USB device in the drivers/usb/misc/rio500.c driver. (bsc#1051510 bsc#1146391).

CVE-2019-15214: There was a use-after-free in the sound subsystem because card disconnection causes certain data structures to be deleted too early. (bsc#1146550)

CVE-2019-15215: There was a use-after-free caused by a malicious USB device in the drivers/media/usb/cpia2/cpia2_usb.c driver. (bsc#1135642 bsc#1146425)

CVE-2019-15216: Fix a NULL pointer dereference caused by a malicious USB device in the drivers/usb/misc/yurex.c driver. (bsc#1146361).

CVE-2019-15217: There was a NULL pointer dereference caused by a malicious USB device in the drivers/media/usb/zr364xx/zr364xx.c driver. (bsc#1146547).

CVE-2019-15218: There was a NULL pointer dereference caused by a malicious USB device in the drivers/media/usb/siano/smsusb.c driver.
(bsc#1051510 bsc#1146413)

CVE-2019-15219: There was a NULL pointer dereference caused by a malicious USB device in the drivers/usb/misc/sisusbvga/sisusb.c driver. (bsc#1146524)

CVE-2019-15220: There was a use-after-free caused by a malicious USB device in the drivers/net/wireless/intersil/p54/p54usb.c driver.
(bsc#1146526)

CVE-2019-15221, CVE-2019-15222: There was a NULL pointer dereference caused by a malicious USB device in the sound/usb/line6/pcm.c driver.
(bsc#1146529, bsc#1146531)

CVE-2019-15239: An incorrect backport of a certain net/ipv4/tcp_output.c fix allowed a local attacker to trigger multiple use-after-free conditions. This could result in a kernel crash, or potentially in privilege escalation. (bsc#1146589)

CVE-2019-15290: There was a NULL pointer dereference caused by a malicious USB device in the ath6kl_usb_alloc_urb_from_pipe function (bsc#1146543).

CVE-2019-15292: There was a use-after-free in atalk_proc_exit (bsc#1146678)

CVE-2019-15538: XFS partially wedged when a chgrp failed on account of being out of disk quota. This was primarily a local DoS attack vector, but it could result as well in remote DoS if the XFS filesystem was exported for instance via NFS. (bsc#1148032, bsc#1148093)

CVE-2019-15666: There was an out-of-bounds array access in
__xfrm_policy_unlink, which would cause denial of service, because verify_newpolicy_info mishandled directory validation. (bsc#1148394).

CVE-2019-15902: A backporting error reintroduced the Spectre vulnerability that it aimed to eliminate. (bnc#1149376)

CVE-2019-15917: There was a use-after-free issue when hci_uart_register_dev() failed in hci_uart_set_proto() (bsc#1149539)

CVE-2019-15919: SMB2_write in fs/cifs/smb2pdu.c had a use-after-free.
(bsc#1149552)

CVE-2019-15920: SMB2_read in fs/cifs/smb2pdu.c had a use-after-free.
(bsc#1149626)

CVE-2019-15921: There was a memory leak issue when idr_alloc() failed (bsc#1149602)

CVE-2019-15924: Fix a NULL pointer dereference because there was no

-ENOMEM upon an alloc_workqueue failure. (bsc#1149612).

CVE-2019-15926: Out of bounds access existed in the functions ath6kl_wmi_pstream_timeout_event_rx and ath6kl_wmi_cac_event_rx (bsc#1149527)

CVE-2019-15927: An out-of-bounds access existed in the function build_audio_procunit (bsc#1149522)

The update package also includes non-security fixes. See advisory for details.

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

ID	Name	Product	Family	Severity
136116	RHEL 8 : kernel-rt (RHSA-2020:1567)	Nessus	Red Hat Local Security Checks	high
136115	RHEL 8 : kernel (RHSA-2020:1769)	Nessus	Red Hat Local Security Checks	high
135685	RHEL 7 : kernel-alt (RHSA-2020:1493)	Nessus	Red Hat Local Security Checks	critical
134486	EulerOS Virtualization for ARM 64 3.0.2.0 : kernel (EulerOS-SA-2020-1197)	Nessus	Huawei Local Security Checks	critical
133800	Ubuntu 16.04 LTS / 18.04 LTS : linux, linux-aws, linux-aws-hwe, linux-azure, linux-gcp, linux-gke-4.15, (USN-4287-1)	Nessus	Ubuntu Local Security Checks	medium
133797	Ubuntu 18.04 LTS / 19.10 : linux, linux-aws, linux-azure-5.3, linux-gcp, linux-gcp-5.3, linux-hwe, (USN-4284-1)	Nessus	Ubuntu Local Security Checks	medium
133354	Ubuntu 18.04 LTS : linux-aws-5.0, linux-gcp, linux-gke-5.0, linux-oracle-5.0 vulnerabilities (USN-4258-1)	Nessus	Ubuntu Local Security Checks	medium
131474	EulerOS Virtualization for ARM 64 3.0.3.0 : kernel (EulerOS-SA-2019-2309)	Nessus	Huawei Local Security Checks	high
130815	EulerOS 2.0 SP8 : kernel (EulerOS-SA-2019-2106)	Nessus	Huawei Local Security Checks	critical
130663	EulerOS 2.0 SP5 : kernel (EulerOS-SA-2019-2201)	Nessus	Huawei Local Security Checks	critical
130163	SUSE SLED15 / SLES15 Security Update : kernel (SUSE-SU-2019:2738-1)	Nessus	SuSE Local Security Checks	critical
129345	openSUSE Security Update : the Linux Kernel (openSUSE-2019-2181)	Nessus	SuSE Local Security Checks	critical
129157	SUSE SLED15 / SLES15 Security Update : kernel (SUSE-SU-2019:2424-1)	Nessus	SuSE Local Security Checks	critical
129154	SUSE SLED12 / SLES12 Security Update : kernel (SUSE-SU-2019:2412-1)	Nessus	SuSE Local Security Checks	critical

CVE-2019-15099

Description

References

Details

Risk Information

CVSS v2.0

CVSS v3.0

Vulnerable Software

Configuration 1

Tenable Plugins